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Quantum Versus Classical Proofs and Advice 
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Abstract 

VQ ■ This paper studies whether quantum proofs are more powerful than classical proofs, or in complexity terms, 

C^ ' whether QMA = QCMA. We prove three results about this question. First, we give a "quantum oracle separation" 

^^ ' between QMA and QCMA. More concretely, we show that any quantum algorithm needs Q I J ^"-^ J queries 

to find an n-qubit "marked state" |?/>), even if given an m-bit classical description of \'4j) together with a quantum 
black box that recognizes |^). Second, we give an explicit QCMA protocol that nearly achieves this lower bound. 
Third, we show that, in the one previously-known case where quantum proofs seemed to provide an exponential 
advantage, classical proofs are basically just as powerful. In particular, Watrous gave a QMA protocol for verifying 
non-membership in finite groups. Under plausible group-theoretic assumptions, we give a QCMA protocol for the 
same problem. Even with no assumptions, our protocol makes only polynomially many queries to the group oracle. 

pf-\ ■ We end with some conjectures about quantum versus classical oracles, and about the possibility of a classical oracle 

^ ' separation between QMA and QCMA. 

in 
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If someone hands you a quantum state, is that more "useful" than being handed a classical string with a comparable 
number of bits? In particular, are there truths that you can efficiently verify, and are there problems that you can 
efficiently solve, using the quantum state but not using the string? These are the questions that this paper addresses, 
and that it answers in several contexts. 

Recall that QMA, or Quantum Merlin- Arthur, is the class of decision problems for which a "yes" answer can be 
verified in quantum polynomial time, with help from a polynomial-size quantum witness state |i/)). Many results are 

j^ ' known about QMA: for example, it has natural complete problems 1 14|, allows amplification of success probabilities 

^ ! (ni, and is contained in PP 1 17 1. 

^ ' Yet as Aharonov and Naveh |3| pointed out in 2002, the very definition of QMA raises a fundamental question. 

Namely: is it really essential that the witness be quantum, or does it suffice for the algorithm verifying the witness to 
be quantum? To address this question, Aharonov and Naveh defined the class QCMA, or "Quantum Classical Merlin- 
Arthur," to be the same as QMA except that now the witness is classical.' We can then ask whether QMA = QCMA. 

C^ ' Not surprisingly, the answer is that we don't know. 

If we can't decide whether two complexity classes are equal, the usual next step is to construct a relativized world 
that separates them. This would provide at least some evidence that the classes are different. But in the case of QMA 
versus QCMA, even this limited goal has remained elusive. 

Closely related to the question of quantum versus classical proofs is that of quantum versus classical advice. 
Compared to a proof, advice has the advantage that it can be trusted, but the disadvantage that it can't be tailored to a 
particular input. More formally, let BQP/qpoly be the class of problems solvable in quantum polynomial time, with 
help from a polynomial-size "quantum advice state" |i/)„) that depends only on the input length n. Then the question 
is whether BQP/qpoly = BQP/poly, where BQP/poly is the class of problems solvable in quantum polynomial time 
with help from polynomial-size classical advice. Aaronson |2| showed that BQP/qpoly C PP/poly, which at least 
tells us that quantum advice is not "infinitely" more powerful than classical advice. But, like the QMA versus QCMA 
question, the BQP/qpoly versus BQP/poly question has remained open, with not even an oracle separation known. 

* University of Waterloo. Email: scott@scottaaronson.com. 
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' Some say that this class would more accurately be called CMQA, for "Classical Merlin Quantum Arthur." But QCMA has stuck. 



1.1 Our Results 

This paper introduces new tools with which to attack QMA versus QCMA and related questions. 

First, we achieve an oracle separation between QMA and QCMA, but only by broadening the definition of "oracle." 
In particular, we introduce the notion of a quantum oracle, which is just an infinite sequence of unitaries U — {t/n}„>i 
that a quantum algorithm can apply in a black-box fashion. Just as a classical oracle models a subroutine to which 
an algorithm has black-box access, so a quantum oracle models a quantum subroutine, which can take quantum input 
and produce quantum output. We are able to give a quantum oracle that separates QMA from QCMA; 

Theorem 1.1 There exists a quantum oracle U such that QMA 7^ QCMA . 

Similarly, there exists a quantum oracle V such that BQP /qpoly ^ BQP /poly. 

Theorem ll.il implies that if QMA = QCMA, then any proof of this fact will require "quantumly nonrelativizing 
techniques": techniques that are sensitive to the presence of quantum oracles. Currently, we do not know of any 
quantumly nonrelativizing techniques that are not also classically nonrelativizing. For this reason, we believe that 
quantum oracle results merit the same informal interpretation as classical oracle results: almost any argument that one 
might advance against the former, is also an argument against the latter! The difference is that quantum oracle results 
are sometimes much easier to prove than classical ones. To our knowledge, this paper provides the first example of 
this phenomenon, but other examples have since emerged ifD llQI . 

Underlying Theorem ll.ll is the following lower bound. Suppose a unitary oracle t/„ acts on n qubits, and suppose 
there exists a secret n-qubit "marked state" JVAi) such that [/„ |-0„) = — ji/'n), but C/„ \if) — \ip) whenever \if) is 
orthogonal to \ipn)- Then even if a quantum algorithm is given m bits of classical advice about \ipn), the algorithm 

still needs Q ( \ h^^ri ) queries to [/„ to find |V'n)- Note that when to = 0, we recover the usual fi (V2") lower 
bound for Grover search as a special case. At the other extreme, if to, w 2" then our bound gives nothing — not 
surprisingly, since the classical advice might contain explicit instructions for preparing |V^„). The point is that, if m 
is not exponentially large, then exponentially many queries are needed. 

Since |V'n) is an arbitrary 2"-dimensional unit vector, it might be thought obvious that 2^^^"^ bits are needed to 
describe that vector. The key point, however, is that the QCMA verifier is given not only a classical description 
of l^n), but also oracle access to [/„. So the question is whether some combination of these resources might be 
exponentially more powerful than either one alone. We prove that the answer is no, using the hybrid argument of 
Bennett et al. 1 7 1 together with geometric results about partitionings of the unit sphere. 

In Section |4] we show that our lower bound is basically tight, by giving an algorithm that finds |i/)„) using 

O ( y^2"/to) queries when to > 2n. This algorithm has the drawback of being computationally inefficient. To fix 

this, we give another algorithm that finds \'ipn) using O iriyj^^/m] queries together with O I n^-\/2"/TO + poly (to) J 
computational steps. 

Having separated QMA from QCMA by a quantum oracle, we next revisit the question of whether these classes 
can be separated by a classical oracle. Right now, we know of only one candidate problem for such a separation in 
the literature: the Group Non-Membership (GNM) problem, which Watrous |24| placed in QMA even though Babai 
Pi showed that it is not in MA. In this problem, Arthur is given black-box access to a finite group G, together with 
a subgroup H < G specified by its generators and an element x E G. Arthur's goal is to verify that x ^ H, using 
a number of group operations polynomial in log \G\. (Note that the group membership problem is in NP by an easy 
argument.) In Watrous's protocol, the quantum witness is simply an equal superposition \H) over the elements of H. 
Given such a witness, Arthur can check non-membership by comparing the states \H) and \xH), and can similarly 
check the veracity of \H) by comparing it to \hH), where h is an almost-uniformly random element of H. 

Evidently a classical proof of non-membership would have to be completely different. Nevertheless, in Section|5l 
we show the following: 

Theorem 1.2 GNM has polynomially-bounded QCMA query complexity. 

Theorem ll .2l implies that it is pointless to try to prove a classical oracle separation between QMA and QCMA by 
proving a lower bound on the quantum query complexity of Group Non-Membership. If such a separation is possible, 
then a new approach will be needed. 



The idea of the proof of Theoi'em ll.2l is that Merlin can "pull the group out of the black box." In other words, 
he can claim an embedding of a model group F into G. This claim is entirely classical, but verifying it requires 
solving the Normal Hidden Subgroup Problem (NHSP) in F. This problem has low query complexity by a result of 
Ettinger, H0yer, and Knill lllll . but is not known to be in BQP. In addition, analyzing the description of F is not 
known to be computationally efficient. Nonetheless, in Section lsTl we discuss evidence that NHSP is in BQP and 
that non-membership for F is in NP. Based on this evidence, we conjecture the following; 

Conjecture 1.3 GNM is in QCMA. 

Given our results in Section|5] the question remains of whether there is some other way to prove a classical oracle 
separation between QM A and QCMA. In Section|6] we conjecture that the answer is yes: 

Conjecture 1.4 There exists a classical oracle A such that QMA 7^ QCMA . Furthermore, this can be proven by 
exhibiting an oracle problem with polynomial QMA query complexity but exponential QCMA query complexity. 



The reason we believe Coniecture ll.4l is that it seems possible, for many purposes, to "encode" a quantum oracle 
into a classical one. In Section|6lwe explain more concretely what we mean by that, and present some preliminary 
results. For example, we show that there exists a BQP algorithm that maps an oracle string A to an 71-qubit pure state 
\'ipA), such that if A is uniformly random, then \iIja) is (under a suitable metric) close to uniformly random under the 
Haar measure. On the negative side, we show that any quantum algorithm that applies an A^-dimensional unitary Ua 
after making a single quantum query to a classical oracle A, can apply at most 4^ distinct unitaries. 

We end in Section^with some open problems. 

2 Preliminaries 

Throughout this paper, we refer to the set of A^-dimensional pure states as CP ^^ (that is, complex projective space 
with A^ — 1 dimensions). We use Pr to denote probability, and E to denote expectation. 

We assume familiarity with standard complexity classes such as BQP and MA. For completeness, we now define 
QMA, QCMA, BQP/qpoly, and BQP/poly. 

Definition 2.1 QMA is the class of languages L C {0, 1}^ for which there exists a polynomial-time quantum verifier 
Q and a polynomial p such that, for all x € {0,1}"." 

(/) If X €z L then there exists a p (n)-qubit quantum proof \ip) such that Q accepts with probability at least 2/3 
given \x) \ip) as input. 

(ii) Ifx ^ L then Q accepts with probability at most 1/3 given \x) \ip) as input, for all purported proofs \ip). 
The class QCMA is defined similarly, except that \(p) is replaced by a classical string z € {0, 1}^^" . 

Definition 2.2 BQP/qpoly is the class of languages L C {0, 1} for which there exists a polynomial-time quantum 
algorithm Q, together with a set of states {|'0n)}n>i (where \^n) ho.s size p (n) for some polynomial p), such that for 
a«xe {0, 1}".- 

(i) Ifx e L then Q accepts with probability at least 2/3 given \x) Itpn) os input, 
(ii) Ifx ^ L then Q accepts with probability at most 1/3 given \x) ji/'n) t^s input. 

The class BQP/poly is defined similarly, except that |^„) is replaced by a classical string a„ G {0, 1}'' . 

Let us now explain what we mean by a "quantum oracle." For us, a quantum oracle is simply an infinite sequence 
of unitary transformations, U = {C^m}„>i- We assume that each C/„ acts onp (n) qubits for some known polynomial 
p. We also assume that given an n-bit string as input, a quantum algorithm calls only C/„, not Um for any m ^ n. 



This assumption is only made for simplicity; our results would go through without it.^ When there is no danger of 
confusion, we will refer to C/„ simply as U. 

We now describe the oracle access mechanism. Assume a quantum computer's state has the form 

|$)=^a,,,|z)|6)|^,,,), 

z,b 

where |z) is a workspace register, |6) is a control qubit, and \4>b,z) is a p (n)-qubit answer register. Then to "query 
[/„" means to apply the {p (n) + l)-qubit unitary transformation that maps |$) to 

1$') = J2 1^) ("-,0 |0) |0.,o) + a.,1 |1) Un |0,,i)) . 

z 

Let C be a quantum complexity class, and let U = {CAi}„>i be a quantum oracle. Then by C^ , we will mean the 
class of problems solvable by a C machine that, given an input of length n, can query C/„ at unit cost as many times as 
it likes. 

In defining the notion of quantum oracle, several choices present themselves that have no counterpart for classical 
oracles. Even though these choices will not matter for our results, it seems worthwhile to mention them, since they 
might arise in future work on the subject. First, we implicitly assumed that if we can apply U, then we can also apply 
controlled-[/ (that is, U conditioned on the control qubit \b)). Should we make such an assumption? Second, should 
we assume that if we can apply U, then we can also apply U^^l 

Arguably the answer to both questions should be 'yes' — since given a quantum circuit for U, we could produce 
a quantum circuit for controlled-[/ or U^^ in a completely routine way, one that leaves the circuit's overall structure 
intact.-' Still, it would be interesting to know whether disallowing controlled-C/ or U^^ would enable us to prove more 
quantum oracle separations. (Note that if we disallow these operations, then the set of inequivalent quantum oracles 
becomes larger.) 

Another question is whether we could prove more oracle separations by allowing nonunitary quantum oracles — 
that is, oracles that map pure states to mixed states. In this case, if the unitary oracle U is not required to come 
with U^^, then the answer seems to be no. For given any n-qubit quantum operation £, we can construct a 2n-qubit 
unitary operation [/, whose induced action on the first n qubits is £. This U might potentially reveal information in 
the second n qubits. However, we should be able to prevent that by composing U with a unitary that "scrambles" the 
second n qubits (so that they might as well be thrown away), without affecting the first n qubits. 

All quantum oracles considered in this paper will be unitary and self-inverse (that is, U = U~^). Also, while our 
algorithm in Section |4] will need to apply controlled- [/, that is only for the technical reason that we will define U so 
that U \ip) = — \ip) if |'0) is the marked state, and U \(p) = \(p) whenever {(p\ip) = 0. If we stipulated instead that 
U \ip) \b) — \ip) \b 1) and U \lp) \b) ~ \(p) \b) whenever {ip\ijj) = 0, then U alone would suffice. 

3 Quantum Oracle Separations 

The aim of this section is to prove Theorem ll.il that there exists a quantum oracle U such that QMA ^ QCMA . 
The same ideas will also yield a quantum oracle V such that BQP /qpoly ^ BQP /poly. 

To prove these oracle separations, we first need some lemmas about probability measures on quantum states. Let 
H be the uniform probability measure over A^-dimensional pure states (that is, over CP ^^). The following notion 
will play a key role in our argument. 

Definition 3.1 For all p € [0^1], a probability measure a over CP ~ is called p-uniform if pa < fi. 

^If one made the analogous assumption in classical complexity — that given an input of length n, an algorithm can query the oracle only on 
strings of length n — one could simplify a great many oracle results without any loss of conceptual content. 

'One might object that the arithmetization at the heart of the IP = PSPACE theorem |21 1 also leaves a circuit's "overall structure" intact. But 
inverting a gate or conditioning it on a control qubit seems less drastic to us than enlarging its base field. 



Intuitively, a p-uniform measure is what we end up with if we start with the uniform prior over all pure states \Tp), 
and then condition on log 1/p bits of classical information about lip) . 

We are interested in the following question: among all p-uniform probability measures a, which is the one that 



maximizes E 



mea 



\{m\' 



? We can think of CI 



tW-l 



as a container, which contains a fluid a that is gravitationally 



mow 



is to "fill the 



attracted to the state |0). Then intuitively, the answer is clear: the way to maximize E|^)gg. 

container from the bottom," subject to the density constraint pa < fi. In other words, the optimal a should be the 
uniform measure over the region 7?. {p) given by |(V'|0)| > h {p), where h (p) is chosen so that the volume of 7?. (p) is 



a p fraction of the total volume of 1 



j,N-l 



The following lemma makes this intuition rigorous. 



Lemma 3.2 Among all p-uniform probability measures a over CI 
r (p), the uniform measure over the region TZ (p) defined above. 

Proof. Since | (f/'lO) | is nonnegative, we can write 
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We claim that setting a := t {p) maximizes the integrand for every value of y. Certainly, then, setting a := t (p) 
maximizes the integral itself as well. 

To prove the claim, we consider two cases. First, if y < h{p) , then 



Pr 

|V>er(p) 



mo)f>y 



which is certainly maximal. Second, if y > h{p) , then 
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|V>er(p) 
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This is maximal as well, since 



Pr 



l(V'|0)r>y 



< - • Pr 

p |0>e/i 



l(V^|0>r>y 



for all p-uniform probability measures a. m 

Lemma |32] completely describes the probability measure that maximizes EX|^,^£o. |(^|0)| , except for one 
detail: the value of h (p) (or equivalently, the radius of TZ (p)). The next lemma completes the picture. 

Lemma 3.3 For all p, 



h (p) = ^/i-p^i^-^) = e 



'logl/p 



N 



Proof. We will show that for aU h. 



Pr [\{m\>h] = {l-hY '■ 



Wep. 



iW-i 



Setting p :— Pr|^^g^ [|(V''|0)| > h] and solving for h then 



where ii is the uniform probabiUty measure over ( 
yields the lemma. 

Let ~^ = {zq, . . . , zat-i) be a complex vector; then let T^ = (rg, . . . , rjv-i) and 9 — {9q, . . . , 9n-i) be real 
vectors such that Zk — r^e*^'' for each coordinate k. Also, let I? be a Gaussian probability measure on C^, with 
density function 

P{-7) = P{-r) = ^er\\^\\l. 



Let d r be shorthand for dro ••• (irAr_i. Then we can express the probabiUty that |(?/'|0)| > has 
Pr [|(^|0)|>/i]- j'r [\zo\>h\\^\\,] 
= FT^[ro>h\\-y\\^] 
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By combining Lemmas l3.2l and l331 we can now prove a key fact: that if | V') is drawn from a p-uniform probabihty 
measure, then for every mixed state p, the squared fidelity between \ip) and p has a small expectation. 

Lemma 3.4 Let a be a p-uniform probability measure over C¥ ^ . Then for all p, 



Proof. If p < e^^*^^) then the lemma is certainly true, so suppose p > e^'^'^^^ Since the concluding inequality 
is linear in p, we can assume without loss of generality that p is a pure state. Indeed, by symmetry we can assume 

that p = |0) (0|. So our aim is to upper-bound Ei^^gg. |('0|O)| , where cr is any p-uniform probability measure. By 

Lemma 13721 we can assume without loss of generality that a — t (p) is the uniform measure over all \^) such that 
\{ip\0)\>h{p). Then letting 

IV-) =ao|0) + --- + aAr_i|iV-l), 

r = ylaif H h |ajv-i|^, 
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where the last line follows from Lemma l33] ■ 

We are finally ready to prove the main result of this section: that any quantum algorithm needs fl ( J j^-ri I queries 
to find an n-qubit marked state | t/i) , even if given m bits of classical advice about | ^) . 

Theorem 3.5 Suppose we are given oracle access to an n-qubit unitary U, and want to decide which of the following 
holds: 



(i) There exists an n-qubit "quantum marked state" \^) such that U \^) = — IV'), but U \ 

(^li/i) = 0; or 

(ii) U = I is the identity operator 



Then even if we have an m-bit classical witness w in support of case (i), we still need 51 
the witness, with bounded probability of error 



whenever 



queries to verify 



Proof. If m = 17 (2") then the theorem is certainly true, so suppose m = a (2"). Let v4 be a quantum algorithm that 
queries U. Also, let t/|^) be an n-qubit unitary such that C/|^) \tp) = — \tp), but [/|^,^ 10) = {(p) whenever {(j>\ip) ~ 0. 
Then A's goal is to accept if and only if U — C/|^) for some lip). 

For each n-qubit pure state \ip), let us fix a classical witness w G {0, 1}™ that maximizes the probability that A 
accepts, given C/|^^ as oracle. Let S (w) be the set of |^)'s associated with a given witness w. Since the S (w)'s form 
a partition of CP'^ ^^, clearly there exists a witness, call it w*, such that 



Pr [It/.) eS{w*)] > —. 

Fix that w* (or in other words, hardwire w* into A). Then to prove the theorem, it suffices to establish the following 
claim: A cannot distinguish the case U = t/|,/;) from the case U = I by making o ( \/:;^-ri ) queries to U, with high 
probability if lip) is chosen uniformly at random from S (w*). 

To prove the claim, we use a generalization of the hybrid argument of Bennett et al. 1 7 1 . Suppose that A makes T 
queries to U. (Technically speaking, we should also allow queries to controlled- C/, but this will make no difference 



in our analysis.) Then for all < i < T, let |$t) be the final state of A, assuming that U ^ I for the first t queries, 
and U = C/|^) for the remaining T — t queries. Thus |<l>o) is the final state in case (i), while |$t) is the final state 
in case (ii). We will argue that |$t) cannot be very far from |(E>(_i), with high probability over the choice of marked 
state 1^). Intuitively, this is because the computations of |<1>() and |$t-i) differ in only a single query, and with high 
probability that query cannot have much overlap with \tp). We will then conclude, by the triangle inequality, that | $o ) 
cannot be far from |$t) unless T is large. 

More formally, let pt be the marginal state of the query register just before the t*'* query, assuming the "control 
case" U = I. Also, let pt — ^ Pi \fi) {fi \ be an arbitrary decomposition of pt into pure states. Then for every i, the 
component of \ipi) orthogonal to \ip) is unaffected by the <*'' query. Therefore 

i 



< 



2 jX!^*^'^!'^*)^^*!^) 



= 2V{^\pt\^), 

where the third line uses the Cauchy-Schwarz inequality (the average of the square root is at most the square root of 
the average). Now let a be the uniform probability measure over 5* (w*), and observe that a is 2^™-uniform. So by 
Lemma 13.41 
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where the second line again uses the Cauchy-Schwarz inequality. Finally, 



E [|||<i>T>-|$o>ll2]<E E [\\\<^^) - \^,_,)\y ^ o I 



777+1 



Wei 
by the triangle inequality. This implies that, for |$t) and j^o) to be distinguishable with fl (1) bias, we must have 

Using Theorem l3.5l we can immediately show a quantum oracle separation between QMA and QCMA. 
Proof of Theorem 11.11 Let L be a unary language chosen uniformly at random. The oracle U — {C^n}„>i is as 
follows: if 0" e L, then C/„ |^„) — — \ipn) for some r7-qubit marked state \ipn) chosen uniformly at random, while 
Un\(p) — l^p) whenever {f\ipn) — 0. Otherwise, if 0" ^ L, then [/„ is the ri-qubit identity operation. 

Almost by definition, L S QMA . For given a quantum witness \(p), the QMA verifier first prepares the state 
-y^ (|0) \(p) + |1) \(p)), then applies C/„ to the second register conditioned on the first register being |1). Next the 
verifier applies a Hadamard gate to the first register, measures it, and accepts if and only if 1 1) is observed. If 0" € L, 
then there exists a witness — namely \(p) = \ipn) — that causes the verifier to accept with probability 1. On the other 
hand, if 0" ^ L, then no witness causes the verifier to accept with nonzero probability. 

As a final observation, Theorem l3.5l implies that L ^ QCMA with probability 1 over the choice of U. We omit 
the standard diagonalization argument. ■ 

We can similarly show a quantum oracle separation between BQP/qpoly and BQP/poly. 



Theorem 3.6 There exists a quantum oracle U such that BQP /qpoly 7^ BQP /poly. 

Proof. In this case C/„ will act on 2n qubits. Let L be a binary language chosen uniformly at random, and let 
L (x) = lif X ^ L and L{x) = otherwise. Also, for all n, let \ipn) be an n-qubit state chosen uniformly at random. 
Then C/„ acts as follows: for all x G {0, 1}", 

but Un (10) \x)) — 10) \x) whenever (0|'0„) — 0. Clearly L e BQP /qpoly; we just take \tpn) as the advice. On the 
other hand, Theorem l3.5l implies that L ^ BQP /poly with probability 1. ■ 

4 Upper Bound 

In this section we show that the lower bound of Theorem l3.5l is basically tight. In particular, let U be an n-qubit 
quantum oracle, and suppose we are given an m-bit classical proof that U is not the identity, but instead conceals a 
marked state \ip) such that U \ijj) = — \ip). Then provided 2n < m < 2", a quantum algorithm can verify the proof 



by making O f y/2"-/m j oracle calls to U. This matches our lower bound when m > 2n^ 

Let A^ = 2" be the dimension of t/'s Hilbert space. Then the idea of our algorithm is to use a "mesh" of states 
|0i) , . . . , \4'm) G CP ^ , at least one of which has nontrivial overlap with every pure state in CP ^ . A classical 
proof can then help the algorithm by telling it the |0j) that is closest to \ip). More formally, define the h-ball about 
10) to be the set of \ip) such that |(0|((5)| > h. Then define an h-net for CP ~^ of size M to be a set of states 
\4>i) , . . . , \4>m) such that every \ip) e CP ^^ is contained in the /i-ball about |0i) for some i} We will use the 
following theorem, which follows from Corollary L2 of Boroczky and Wintsche Isl . 

Theorem 4.1 (18J) For all < ft. < 1, there exists an h-net for CP^^^ of size 

Boroczky and Wintsche do not provide an explicit construction of such an /i-net; they only prove that it exists.^ 
Later, we will give an explicit construction with only slightly worse parameters than those of Theorem l4.1l But first, 
let us prove an upper bound on query complexity. 

Theorem 4.2 Suppose we have an n-qubit quantum oracle U such that either (i) U — [/|^) for some 1-0), or (ii) 
U = I is the identity operator Then given an m-bit classical witness in support of case (i), where m > 2n, there 
exists a quantum algorithm that verifies the witness using O I ^J2^ jm + 1 ) queries to U. 

Proof. By Theorem l4.1l there exists an h-net S for CP ^ of cardinality 

/23«^2log(2 + 2^\ 

Setting |5| = 2™ gives 

m < y + 2"log (y^) +0(logn) . 



^When m <C 2n, the best upper bound we know is the trivial O I v^2" J . However, we conjecture that O I \/2"/m J is achievable in this case 
as well. 

^These objects are often called e-nets, with the obvious relation h = cos e. 

^Note that we cannot just start from an explicit construction of a sphere-packing, and then double the radius of the spheres to get a covering. 
We could do that if we wanted a covering of CP by small balls. But in our case, h is close to zero, which means that the balls already have 

close to the maximal radius. 



Solving for h, we obtain 



h> 



m — 3n/2 — O (log n) 



2" 



which is n ( •\/to/2" J provided m > 2n. So there exists a collection of i\/ = 2™ states, l^i) , . 



f^Af e 



such that for every \ip), there exists an i such that | (0^ !■(/;) | > h where h = Q ( ■\/m/2" 

Given an oracle U = C/|^) , the classical witness w G {0,1}™ will simply encode an index i such that | {ipi 



If we prepare |0i) and feed it to U, then the probability of finding the marked state ji/') is | (0; 



>h. 
> h^. Furthermore, 

if we do find \4>), we will know we did (i.e. a control qubit will be |1) instead of |0)). From these facts, it follows 
immediately from the amplitude amplification theorem of Grover 1 1 2 1 and Brassard et al. 1 9 1 that we can find | tp) with 
probability il (1) using 

' T ^\ ^ ( [t- 

queries to [/. ■ 

Of course, if we care about computational complexity as well as query complexity, then it is not enough for an h- 
net to exist — we also need the states in the /i-net to be efficiently preparable. Fortunately, proving an explicit version 
of Theorem l4. 1 I turns out to be simpler than one might expect. We will do so with the help of the following inequaUty. 




Lemma 4.3 Let xi > 

{1,...,7V}, 



> Xfq > be nonnegative real numbers with x\ 



max 
i<t<fc 



Xl 



-xt 



Vt 



> 



N\log^N] 



xj^ = 1. Then for all k G 



Proof. Let L = [logs ^1 • Then for alH e {1, . . . , L}, let s^ = x^i_i + 



j^, where we adopt the convention 



^N — 1: 



thatxj = Oif j > A^. Then 

si H \- sl = xl + ■ 

so certainly there exists an i E {1, . . . ,L} such that Si > 1/L. Fix that i. Then since the x/s are arranged in 
nonincreasing order, we have 



X2i-i > 

There are now two cases. First, if fc < 2'^^ then 



> 



1 



max 

l<t<k 



Xl 



Vt 



Xt 



Xl H (- Xfc k 

> — > —=X2i-i > 

Vk ~ Vk 



> 



2'-iL - Y Nllog^NY 



Second, if 2^-1 < A: then 



max 
i<t<fe 



Xl 



Vt 



Xt 



> 



Xl 



vw^ 



X2,-l ^ T 



V¥^ 



--X2'- 




This completes the proof.^ ■ 

We now use Lemma l43] to construct an h-net. 



N\log2N] 



'One might wonder whether the ^/l/ riog2 A'] factor can be eUminated. However, a simple example shows that it can be improved by at most 
a constant factor. Suppose Xj := , /-: — , where Jii = X]?=i ~ ~ l^i^- Then for all t S {1, . . . ,N}, we have 

Xl A + Xt 2 



Vt 



/in AT 
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Theorem 4.4 For all < h < 1, there exists an h-net j^i) , . . . , 10m) for CP^"^ of size M = AN ■ 2'^(^^^^°s^ ^), 
as well as a quantum algorithm that runs in time polynomial in log Af and that prepares the state \(j)i) given i as input. 

Proof. Assume without loss of generality that N = 2" and M = 2™ are both powers of 2, and let \tp) be an rt-qubit 
target state. Then it suffices to show that a quantum algorithm, using 

m = log2 M = n + 2 + {h^2''n^) 

bits of classical advice, can prepare a state \(j>) such that | {(j>\ip) \ > hin time polynomial in 



m. 



Let A: 



■:^^ . Also, let us express \i(j) in the computational basis as 



z<£{l,...,N} 

and let |zi) , . . . , |zjv) be an ordering of basis states with the property that {a^-^ | > • • • > lazw I- Then by Lemma l431 
there exists an integer t E {1, . . . ,k} such that 



QfzJ ^ / k Ik 



Vi ~ ]j N riog2 iV] V Nn 

Here we can assume that a^^ , ■ ■ ■ , ctzt ^re all nonzero, since otherwise we simply decrease t. Now let (3^ be the 
element of {1, —1, i, — i} that is closest to az/ \ciz\, with ties broken arbitrarily. Then our approximation to \'ip) will 
be the following: 

To specify |0), the classical advice just needs to list zi, ..., zt and /J^^ , . . . , /J^j . Since t < fc, this requires at most 
fc (n + 2) < m bits. Given the specification, it is clear that |0) can be prepared in time polynomial in tn < m. 
Moreover, 

1 V^ ^* . 1 v^ la^ 



(*,)^-^l^«,a„>-^^^>y_ 



1=1 ^ i=l 



We can therefore set h := \l tt^, so that k = 2h^Nn. Hence 

^ ' 2Nn ' 



m < (n + 2) (fc + 1) = (n + 2) {2h'^Nn + l)=n + 2 + {h^2'^n'^) 



The following is an immediate consequence of Theorem l4.4l 

Corollary 4.5 Suppose we have an n-qubit quantum oracle U such that either (i) U = U\m for some \^), or (ii) 
U — I is the identity. Then given an m-bit classical witness in support of case (i), there exists a quantum algorithm 
that verifies the witness using O I ny/2"- /m + 1 1 queries to U, together with O I n^-\/2"/m + poly {m) ) steps of 
auxiliary computation. 

It is natural to ask whether we could construct a smaller explicit /i-net, and thereby improve the query complexity 
in Corollarv l4.5l from O I n-\/2"/r« + 1 1 to the optimal O ( yj2^ /m + 1 ) . We certainly believe that this is possible, 
but it seems to require more complicated techniques from the theory of sphere coverings. 
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5 Group Non-Membership 

The Group Non-Membership (GNM) problem is defined as follows. We are given a finite group G, a subgroup 
H < G, and an element x £ G. The problem is to decide whether x ^ H. 

But how are G, H, and x specified? To abstract away the details of this question, we will use Babai and Sze- 
meredi's model of black-box groups 1 5 1 . In this model, we know generators for H, and we know how to multiply and 
invert the elements of G, but we "do not know anything else." More formally, we are given access to a group oracle 
O, which represents each element a; £ G by a randomly-chosen label I {x) E {0, 1}" for some n ^ logj |G|. We are 
also given the labels of generators {hi , . . . ,hi) for H. We are promised that every element has a unique label. 

Suppose that our quantum computer's state has the form 

where i {x) and i (y) are labels of group elements and |z) is a workspace register Then the oracle O maps this state 
to 

x.yGG, z 

Note that if the first register does not contain valid labels of group elements, then O can behave arbitrarily. Thus, 
from now on we will ignore labels, and talk directly about the group elements they represent. Using O, it is easy to 
see that we can perform group inversion (by putting the identity element e in the x register) and multiplication (by first 
inverting y, then putting y^^ in the y register), as well as any combination of these operations. 

We will show that GNM has polynomially -bounded QCMA query complexity. In other words, if x ^ H, then 
Merlin can provide Arthur with a poly (n)-bit classical witness of that fact, which enables Arthur to verify it with high 
probability using poly (71) quantum queries to the group oracle O. 

To prove this result, we first need to collect various facts from finite group theory. Call gi, . . . ,gk an efficient 
generating set for a finite group G if (i) A; = O (log |G|), and (ii) every a; G G is expressible as g^^ ■ ■ ■ gi!' where 
ei, . . . , Cfc e {0; 1}. The following lemma follows immediately from a theorem of Erdos and Renyi 1101 . and can 
also be proven directly. 

Lemma 5.1 Every finite group G has an efficient generating set. 

Given finite groups F and G, we say that functions /, g : F ^ G are e-close if 

Pr [/ {x) ^ g {x)] < e. 

Also, recall that / : F ^ G is a homomorphism if / (xy) — f (x) f (y) for all x,y e F. The following two 
propositions relate e-closeness to homomorphisms. 

Proposition 5.2 If two homomorphisms f,g:T—i-G are (1/2 — e)-close for any e > 0, then f = g. 

Proof. Fix X E T; then for all y e F, we have f {x) ~ f (y) f (y^^x) and g {x) — g [y) g (y^^x). By the union 
bound, 

Pr, [/ (y) = 5 (2/) A / (y-'x) = g (y-'x)] > 1 - Pr [/ (y) ^ g (y)] - Pr^ [/ (y-'x) + g {y-^x)\ > 0. 

Hence there exists a y such that f (y) ^ g (y) and / (y^^x) = g (y^^x). But this implies that f {x) = g {x). ■ 

In particular, Proposition IS . 2l implies that if a function / is 1/5-close to a homomorphism, then it is 1/5-close to a 
unique homomorphism (1/5 being an arbitrary constant less than 1/4). 

Proposition 5.3 (Ben-Or et al. L6J) Given finite groups F and G, a function f : T —^ G, and a real number e > 0, if 

Pr [/ (xy) ^f{x)f (y)] < e 

x,y^T 

then f is e-close to a homomorphism. 
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Together, Propositions l5.2l and l5.3l have the following easy corollary. 

Corollary 5.4 Given finite groups T and G and a function f : T -^ G, there exists a randomized algorithm that 
makes O {!) oracle queries to f, accepts with probability 1 if f is a homomorphism, and rejects with probability at 
least 2/3 if f is not 1/5-close to a homomorphism. Also, if f is 1/5-close to some homomorphism f, then there 
exists a randomized algorithm that, given an input x € T, makes O (r) oracle queries to f, and outputs f (x) with 
probability at least 1 — 1/2^. 

Proof. The first algorithm simply chooses O (1) pairs x,y ^ T uniformly at random, accepts if / (xy) = / (x) f (y) 
for all of them, and rejects otherwise. Let k = O (r). Then the second algorithm chooses zi, . . . , Zk ^ T uniformly 
at random, and outputs the plurality answer among / (zi) / (zf^x) ,...,/ (zk) f (zjT^a;) (breaking ties arbitrarily). 
■ 

Interestingly, despite the simplicity of the next result, it is not known how to prove it without using the Classifica- 
tion of Finite Simple Groups. 

Theorem 5.5 Let F (N) be the number of groups of order N up to isomorphism. Then F (N) — N ^^°^^ ' ) . 



Proof. Let Fgimpic {N) be the number of simple groups of order N up to isomorphism. Neumann 1201 showed in 
1969 that if Fsimpie (N) = N'^i^^"^^ Nf)^ then F (N) = iV°(('°S2 ^)') as well. Since the Classification of Finite 
Simple Groups established that Fgimpic (N) < 2 (see Lubotzky |'161 for example), the theorem follows. ■ 

Finally, recall that the Hidden Subgroup Problem (HSP) is defined as follows. We are given a finite group G, 
and oracle access to a function f : G ^ Z. We are promised that there exists a "hidden subgroup" H < G such 
that / [x) = f (y) if and only if x and y belong to the same left coset of H. The problem is then to output a set of 
generators for H. Whether HSP can be solved in quantum polynomial time, for various non-abelian groups G, is one 
of the most actively studied questions in quantum computing. However, if we only care about query complexity, then 
Ettinger, H0yer, and Knill 1 11 1 proved the following useful result. 

Theorem 5.6 (|11|) For all finite groups G, there exists a quantum algorithm that solves HSP using only polylog {\G\) 
quantum queries to f (together with a possibly exponential amount of postprocessing). 

We can now prove Theorem ll.2l that GNM has polynomially-bounded QCM A query complexity. 
Proof of Theorem ll.2l Let G be a group of order at most 2", and let O be a group oracle that maps each element of G 
to an n-bit label. Also, given (the labels of) group elements x,hi, . . . , hm G G, let H be the subgroup of G generated 
by (/ii, . . . , h„i). Then the problem is to decide if x ^ H. 

In our QCM A protocol for this problem. Merlin's witness will consist of the following: 

• An explicit "model group" F, of order at most 2". 

• A list of elements 71, . . . , 7^ G F, where k — O (log |F|). 

• A corresponding list gi,. . . ,gk G G. 

• Another list z, Ai, . . . , Am € F. 

By Theorem l5.5l there are at most 2P°'y(") groups of order |F| < 2" up to isomorphism. From this it follows that 
Merlin can specify the witness using only poly (n) bits. 

Now if Merlin is honest, then the witness will satisfy the following three properties: 

(1) 71, ... , 7fc is an efficient generating set for F. 

(2) z ^ A, where A is the subgroup of F generated by (Ai, . . . , Am). 

(3) There exists an embedding / : F ^ G, such that (i) / (7^) — gi for alH G {1, . . . , k}, (ii) / (Aj) — hj for all 
j G {1, . . . , m}, and (iii) /(z) = x. 
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Suppose for the moment that (l)-(3) all hold. Then there exists an embedding f : T ^ G, which maps the set 
(71, ... , 7^:) in r to the set (gi, . . . , gk) in G. Furthermore, this embedding satisfies / (A) = H and / (z) = x. Since 
z ^ A by (2), it follows that x ^ H as well, which is what Arthur wanted to check. 

So it suffices to verify (l)-(3). In the remainder of the proof, we will explain how to do this using a possibly 
exponential amount of computation, but only poly (n) quantum queries to the group oracle O. 

First, since properties (1) and (2) only involve the explicit group F, not the black-box group G, Arthur can verify 
these properties "free of cost." In other words, regardless of how much computation he needs, he never has to query 
the group oracle. 

The nontrivial part is to verify (3). It will be convenient to split (3) into the following sub-claims; 

(3a) There exists a homomorphism f : T ^ G such that f (ji) — gi for all z e {1, . . . , fc}. 

(3b) / satisfies f (z) — x and / (Xj) — hj for all j £ {!,..., m}. 

(3c) / is injective (i.e. is an embedding into G). 

To verify (3a), first Arthur fixes a "canonical representation" of each element 7 e F. This representation has the 
form 

ei e<. 

7 = 7i •••7fc , 

where (71, ... , 7^) is the efficient generating set for F, and ei, . . . , e^ e {0, 1} are bits depending on 7. Next he 
defines a function / : F ^ G by 

for all 7 G F. By using the canonical representation of 7, Arthur can evaluate / (7) using at most fc — 1 queries to 
the group oracle O. Finally Arthur appeals to Corollarv l5.4l If / is not 1/5-close to a homomorphism, then by using 
0(1) queries to /, with high probability Arthur can detect that / is not a homomorphism. In that case Merlin has 
been caught cheating, so Arthur rejects. On the other hand, if / is 1/5-close to some homomorphism /, then by using 
O (log |F|) queries to /, with high probability Arthur can "correct" / to /. In that case it remains only to check that 
/(7i) =.9j for alHe {!,..., A:}. 

Once Arthur has an efficient procedure for computing / — that is, a procedure that involves only poly (71) queries 
to O — he can then verify property (3b) directly. 

To verify (3c), Arthur runs the algorithm of Ettinger, H0yer, and Knill 1111 for the Hidden Subgroup Problem. 
Notice that, since / : F — > G is a homomorphism, there must be a "hidden subgroup" K < F — namely the kernel of 
/ — such that / is constant on cosets of K and distinct on distinct cosets. Furthermore, / is injective if and only if K 
is trivial. But deciding whether K is trivial is just an instance of HSP, and can therefore be solved using poly (n) 
quantum queries by Theorem l5.6l ■ 



5.1 Computational Complexity 



Theorem 1 1 .21 showed that one can always verify group non-membership using a polynomial-size classical witness, 
together with polynomially many quantum queries to the group oracle O. Unfortunately, while the query complexity is 
polynomial, the computational complexity might be exponential. However, as mentioned in Section fLTl we conjecture 
that this shortcoming of Theorem ll.2l can be removed, and that GNM is in QCM A for any group oracle O. 

In our QCM A protocol, the main computational problem that needs to be solved is not the general HSP, but rather 
the Normal Hidden Subgroup Problem (NHSP) — that is, HSP where the hidden subgroup is normal. This is because 
the kernel of a homomorphism is always a normal subgroup. Hallgren, Russell, and Ta-Shma 1 13 1 showed that NHSP 
is in BQP for any explicit group F, provided the quantum Fourier transform over F can be implemented efficiently. 
Furthermore, Moore, Rockmore, and Russell 1 18 1 showed that many classes of finite groups G have an explicit model 
F = G for which this assumption holds. 

However, even if it can be shown that NHSP is in BQP, there are two remaining obstacles to showing that GNM 
is in QCMA. First, we need to be able to verify group non-membership in the explicit model group F — possibly with 
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the help of additional classical information from Merlin. And second, we need an efficient algorithm to compute the 
function / : F ^ G for every 7 S F, even though / is explicitly defined only on the generators 71 , . . . , 7^: . 

More precisely, we need that for every finite group G, there should exist an explicit model group F = G, together 
with a list of generators 71, . . . , 7^ g F with k — O (polylog |G|), such that 

(i) NHSPoverFisinBQP, 

(ii) GNM over F is in QCM A, and 

(iii) Every 7 e F can be efficiently decomposed into a product of 71, . . . , 7^. 

These steps have already been completed for several classes of groups. For example, if G is abehan, then there 
exists a model F == Z/ri x • • • x Z/r^ for which NHSP is in BQP by the work of Shor 1 22 1 and Kitaev (T5| ; GNM is in 
P by linear algebra; and the classification of finite abelian groups yields an efficient decomposition. If G is isomorphic 
to the symmetric group 5„, then for the model F = 5„, we have that NHSP is trivial (since the only normal subgroup 
is An); GNM is in P by the work of Sims |23|; and Sn is efficiently generated by transpositions. Indeed, Babai 
|4| has conjectured that every finite group G has an explicit model group F for which GNM is in NP n coNP. We 
conjecture that all three steps can be completed — first for finite simple groups, using their classification, and then for 
arbitrary groups using Jordan-Holder composition series. 

6 Mimicking Random Quantum Oracles 

We have seen, on the one hand, that there exists a quantum oracle separating QMA from QCMA; and on the other 
hand, that separating these classes by a classical oracle seems much more difficult. Together, these results raise a 
general question: how much "stronger" are quantum oracles than classical ones? In particular, are there complexity 
classes C and T) that can be separated by quantum oracles, but such that separating them by classical oracles is almost 
as hard as separating them in the unrelativized world? Whatever the answer, we conjecture that QMA and QCMA 
are not examples of such classes. The reason is that it seems possible, using only classical oracles, to approximate 
quantum oracles similar to ones that would separate QMA from QCMA. 

To illustrate, let a be the uniform probability measure over 2" x 2" unitary diagonal matrices. (In other words, 
each diagonal entry of I? e a is a random complex number with norm 1.) Also, let iJ"^" be a tensor product of n 
Hadamard matrices. Then let <,k be the probability measure over 2" x 2" unitary matrices 

U = DkH^'^Dk-iH®'' ■ ■ ■ H'^^DiH'^" 

induced by drawing each Di independently from a. In other words, [/ G <rfe is obtained by first applying a Hadamard 
gate to each qubit, then a random 2" x 2" diagonal matrix, then Hadamard gates again, then another random diagonal 
matrix, and so on k times. 

Note that we can efficiently apply such a U — at least to polynomially many bits of precision — if given a classical 
random oracle A. To do so, we simply implement the random diagonal matrix Di as 

a;G{0,l}" 2;G{0,1}" 

where A{i,x) is sl uniformly random n-bit integer indexed by i and x, and uj — e2iri/2" 

Now let /i be the uniform probability measure over 2" x 2" unitary matrices. If A: ^ 2", then c^k is not close to 
/i in variation distance, since the former has only Q (fc2") degrees of freedom while the latter has 9 (fc4").*' On the 
other hand, we conjecture that a U drawn from <,k will "look random" to any polynomial-time algorithm, and that this 
property can be used to prove a classical oracle separation between QMA and QCMA. 

Let us explain what we mean in more detail. Suppose we are given access to an ?i-qubit unitary oracle U, and 
want to decide whether 



^Admittedly, it is still conceivable that the finite-precision version of <;j. is close in variation distance to the finite-precision version of fi. 
However, a more sophisticated argument that counts distinguishable unitaries rules out that possibility as well. 
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(i) U was drawn uniformly at random (that is, from /i), or 

(ii) U was drawn uniformly at random conditioned on there existing 7i/2-qubit pure states |?/;) and \lp) such that 
C/(|0)^"/'|^))«|0)^"/'|^). 

In case (i), the states |?/;) and \if) will exist only with negligible probability.^ It follows that the above problem is 
in QM A — since if case (ii) holds, then a succinct quantum proof of that fact is just \tj)) itself. We now state three 
conjectures about this problem, in increasing order of difficulty. 

Conjecture 6.1 The above problem is not in QCMA . In other words, if case (ii) holds, there is no succinct classical 
proof of that fact that can be verified with high probability using poly [n) quantum queries to U. 

Presumably Coniecture l6.1l can be proved using ideas similar to those in Section|3] If so, then the next step is to 
replace the uniform measure /i by the "pseudorandom" measure <ik- 

Conjecture 6.2 Suppose that instead of being drawn from /i, the unitary U is drawn from (;k for some k = Q (n). 
Then the probability that there exist n/2-qubit states \tp) and \(p) such that U ( |0) " |V') ) ~ |0) " \(p) is still 
negligibly small. 

Now suppose we want to decide whether 

(i') [/ was drawn from c:^, or 

(ii') U was drawn from ijfe conditioned on there existing n/2-qubit states \^) and \ip) such that U I |0) " \^) 

|0)^"/' \^). 

Also, let ^ be a classical oracle that encodes the diagonal matrices Di, . . . , Dk such that 

U = DkH®''Dk-iH®'' ■ ■ ■ H'^'^DiH'^". 

If Coniecture l6.2l is true, then case (ii') can be verified in QMA . So to obtain a classical oracle separation between 
QMA and QCMA, the one remaining step would be to prove the following. 

Conjecture 6.3 Case (ii') cannot be verified in QCMA . 

6.1 From Random Oracles to Random Unitaries 

The previous discussion immediately suggests even simpler questions about the ability of classical oracles to mimic 
quantum ones. In particular, could a BQP machine use a classical random oracle to prepare a uniformly random 
n-qubit pure state? Also, could it use such an oracle to apply a random n-qubit unitary? 

In this section we answer the first question in the affirmative, and present partial results about the second question. 
We first need a notion that we call the "e-smoothing" of a probability measure. 

Definition 6.4 Let a be a probability measure over \'ip) e CP ^ . Then the e-smoothing of a, or S^ (a), is the 
probability measure obtained by first drawing a state \il)) from a, and then drawing a state \ip) uniformly at random 
subject to (</?|V') > 1 — £■ 

Let /i be the uniform measure over CP^ ^^. Also, let Q be a quantum algorithm that queries a classical oracle A. 
Suppose that, given 0" as input, Q^ outputs the pure state |i/'a) G CP^ ^^. Then we say that Q "approximates the 
uniform measure within e" if, as we range over uniform random A C {0, 1}", the induced probability measure a over 
IV'a) satisfies \\S^ (ct) — /x|| < e. 

'indeed, the reason we did not ask for (n — l)-qubit states \\\>) and \ip) such that (/ (|0) IV")) ~ |0) |</3) is that such states will exist generically. 
Asking for (n — 2)-qubit states \ip) and \lp) such that IJ (|00) \^)) ~ |00) \^) might suffice, but we wish to stay on the safe side. 
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Theorem 6.5 For all polynomials p, there exists a quantum oracle algorithm Q that runs in expected polynomial time, 
and that approximates the uniform measure within 2~p^"\ 

Proof Sketch. The algorithm Q is as follows: first prepare a uniform superposition over n-bit strings. Then, using 
the classical random oracle ^4 as a source of random bits, map this state to 



1*) = ^ E \x)Nl-K\'\0)+a,\l] 

a;e{0,l}" 

where each ax is essentially a Gaussian random variable. More precisely, let q (n) ^ {n + p (n)) . Then each 
a^ is drawn independently from a complex Gaussian distribution with mean and variance 1/q (n), with the two 
technicalities that (1) a^: is rounded to q (n) bits of precision, and (2) the cutoff \ax\ < 1 is imposed. (By a tail bound, 
with overwhelming probability we will have \ax\ < 1 for all x anyway.) 

Next measure the second register of I^I^) in the standard basis. The outcome |1) will be observed with probability 
H. (1/q (n)). Furthermore, conditioned on |1) being observed, one can check that the distribution a over the reduced 
state of the first register satisfies ||52-p(n) (a) — /i|| < 2^^'"). (We omit the calculation.) Hence it suffices to repeat 
the algorithm O {q (n)) times. ■ 

Theorem l6.5l shows that, by using a classical random oracle A, we can efficiently prepare a uniformly random 
n-qubit state \iIja)- But what if we want to use a random oracle to apply a uniformly random n-qubit unitary Ua^ 
It is clear that we can do this if we have exponential time: given an oracle A, we simply query an exponentially long 
prefix A* of A, and then treat A* as an explicit description of a quantum circuit for Ua- But what if we can make 
only polynomially many quantum queries to Al We do not know whether that suffices for applying a random unitary; 
indeed, we do not even have a conjecture about this. 

What we can show is that a single quantum query to A does not suffice for applying a random unitary. In particular, 
suppose every entry of an n-qubit unitary matrix Ua is a degree-1 polynomial in the bits of A (as it must be, if Ua is 
the result of a single quantum query). Then Ua can assume at most A"^ distinct values as we range over the possible 

A's, as opposed to the Vlic^ ) that would be needed to approximate every n-qubit unitary. To prove this statement, 
we first need a lemma about matrices satisfying a certain algebraic relation. 

Lemma 6.6 Let Ei, . . . , Em be nonzero N x N matrices over C, and suppose that EiE- + EjEj = Qfor all i ^ j. 
Then M < 2N. 

Proof. Suppose by contradiction that M > 2N. Let e] be vector in C^ corresponding to the fc*'* row of Ei. Then 
the condition E^EJ + EjEJ = implies that 

ef) . e^) + ef ) • ef ^ = 



for all i ^ j and k, I, where • denotes the complex inner product. Now for all i, let k (i) be the minimum k such that 
e,- 7^ 0, and consider the vectors €{ , . . . , e^^ G C^. Certainly these vectors are not all orthogonal — indeed, 
M > 2N, there must exist i ^ j such that Re I e\ ■ e^ J ^ 0. There are now two cases: if k(i) = k (j). 



smce 
then 

and we are done. On the other hand, if k(i) ^k (j), then 

JH^)) AKJ)) _ _JMi)) JkU)) 

is nonzero. Hence e^ and e\ must themselves be nonzero. But if k{i) > k (j), then this contradicts the 
minimality of k (i), while if k{i) < k (j) then it contradicts the minimality of k (j). ■ 
We can now prove the main result. 
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Theorem 6.7 Let U {X) be an N x N matrix, every entry of which is a degree-1 complex polynomial in variables 
X = (xi, . . . , Xk)- Suppose U (X) is unitary for all X G {0, 1} . Then U (X) can assume at most 4^ distinct 
values as we range over X G {0, 1} . 

Proof. By suitable rotation, we can assume without loss of generality that U (O'^) is the N x N identity /. Let Xi be 
the fc-bit string with a '1' only in the i"' position, and let Ei :— U {Xi) — I. Then for all i. 



E^El = 



\ = {U{X,)-I){U{X,)^~P) 
^I-U{X,)-U{Xi)^ +1 



= ~E,~EJ. 

Next, for all i ^ j, let Xij be the fc-bit string with 'I's only in the i*^ and j*'* positions. Since U (X) is an affine 
function of X, we have U (Xij) = I + Ei + Ej. Therefore 



= U{X,j)U{X,,)^ -I 
= iI + E, + E,)(p+EJ+E])-I 



E,e] + E,EU + {e,e\ + E,e]] + E., + En + E, + E^ 



= e,e] + e,e\. 

Here the first line uses unitaiity, and the fourth line uses the fact that Ei + e] = —EiEJ and Ej + E*- = —EjE^ 
Lemma l6^ now implies that there can be at most 2N nonzero E'i's. Hence U {X) can depend nontrivially on at most 
2N bits of X, and can assume at most 2^^ values. ■ 

7 Open Problems 

The most obvious problems left open by this paper are, first, to prove a classical oracle separation between QM A and 
QCM A, and second, to prove that the Group Non-Membership problem is in QCM A. We end by listing four other 
problems. 

• The class QMA (2) is defined similarly to QM A, except that now there are two quantum provers who are guar- 
anteed to share no entanglement. Is there a quantum oracle relative to which QMA (2) ^ QMA? 

• Is there a quantum oracle relative to which BQP/qpoly (/_ QMA/poly? This would show that Aaronson's 
containment BQP/qpoly C PP/poly |2| is in some sense close to optimal. 

• Can we use the ideas of Section|6lto give a classical oracle relative to which BQP ^ PH? What about a classical 
oracle relative to which NP C BQP but PH (^ BQP?'" 

• Is there a polynomial-time quantum oracle algorithm Q, such that for every n-qubit unitary transformation U , 
there exists a classical oracle A such that Q^ approximately implements C/? Alternatively, would any such 
algorithm require more than poly (?i) queries to A?" 
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'"Note that a simple relativizing argument shows that if NP C BPP then PH C BPP. 

"We do not even know whether a single query suffices. Note that Theorem l6.7l does not apply here, since we have dropped the requirement that 
Q^ must implement some n-qubit unitary (as opposed to a more general superoperator) for every oracle A. 
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